What This Error Means
npm requires a one-time password (2FA) for this operation.
How to Fix It
- Check which registry npm is using:
npm config get registry. - If the package is scoped, verify scope registry mapping in
.npmrc(example:@your-scope:registry=...). - If the command supports it, pass the OTP:
npm <cmd> --otp=123456. - For CI, use an automation token that is allowed for your org policy (or adjust the 2FA requirement for the operation).
- Re-login if your token is stale:
npm logoutthennpm login.
Why It Happens
- Your account or the package requires 2FA for publish or restricted operations.
- You are using a token that is not allowed for the requested 2FA policy.
How to Verify
- Re-run the original command and confirm it completes without prompting for OTP again.
- Confirm the authenticated identity:
npm whoami.
Manual authentication checks
- Check current auth:
npm whoami. - Inspect
.npmrcfor token config and registry routing.
Common CLI Output
npm ERR! code EOTPnpm ERR! This operation requires a one-time password from your authenticator.How npm uses registry credentials
- npm uses registry tokens for authentication and enforces registry policy (including 2FA requirements).
- Some operations require an OTP in addition to a token.
Prevention Tips
- Use automation tokens for CI instead of personal tokens.
- Document org 2FA requirements so publish/install workflows are predictable.
Where This Can Be Triggered
github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/utils/get-identity.js
This is a registry authentication call path. Auth errors like this code appear when the registry returns 401/403 for these endpoints. - GitHub
// No username, but we have other credentials; fetch the username from registry
if (creds.token || creds.certfile && creds.keyfile) {
const registryData = await npmFetch.json('/-/whoami', { ...opts })
if (typeof registryData?.username === 'string') {
return registryData.username
}